Security protection of software libraries in a data processing apparatus

ABSTRACT

A processing apparatus  2  has a secure domain  90  and a less secure domain  80 . Security protection hardware  40  performs security checking operations when the processing circuitry  2  calls between domains. A data store  6  stores several software libraries  100  and library management software  110 . The library management software  110  selects at least one of the libraries  100  as an active library which is executable by the processing circuitry  4  and at least one other library  100  as inactive libraries which are not executable. In response to an access to an inactive library, the library management software  110  switches which library is active.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application claims priority to GB Application No. 1310421.1, filed12 Jun. 2013, the entire contents of which is incorporated herein byreference.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention relates to the field of data processing. Moreparticularly, the invention relates to security protection of softwarelibraries in a data processing apparatus.

2. Description of the Prior Art

A data processing apparatus may have a secure domain and a less securedomain. When operating in the secure domain, data can be accessed thatis not accessible when operating in the less secure domain. Thisprovides a way of protecting potentially sensitive data and code fromaccess by unauthorized persons or programs.

However, there is an increasing need to protect multiple softwareapplications from each other. As the number of applications increases,it becomes more complex to maintain security. The present techniqueseeks to address this problem.

SUMMARY OF THE INVENTION

Viewed from one aspect, the present invention provides a data processingapparatus comprising:

processing circuitry for performing data processing in response toinstructions, the processing circuitry having a plurality of domains ofoperation including a secure domain and a less secure domain, wherein atleast some data accessible to the instructions when operating in thesecure domain is inaccessible when operating in the less secure domain;

security protection hardware configured to perform a first securityprotection operation in response to the processing circuitry callingbetween the less secure domain and the secure domain; and

a data store configured to store a plurality of software libraries andlibrary management software for execution by the processing circuitry;wherein:

the library management software is configured to control the processingcircuitry to set at least one of the plurality of software libraries asan active software library which is executable by the processingcircuitry, and to set at least one other software library as an inactivesoftware library which is not executable by the processing circuitry;and

in response to the processing circuitry calling a target inactivesoftware library, the library management software is configured toperform active library switching to control the processing circuitry toset the target inactive software library as an active software libraryand to set a previously active software library as an inactive softwarelibrary.

It may be desirable to provide multiple different software libraries ina processing apparatus. The libraries may be provided by differentsoftware vendors who may not trust each other and so it may be desirableto enforce security between the libraries. An option would be for allsecurity checking between software libraries to be handled in software,for example using an operating system. However, this approach tends tobe slow because the processing of the processing circuitry must beinterrupted to invoke the operating system security behaviour each timethere is a function call to a protected library. On the other hand, afully hardware-implemented solution could implement each softwarelibrary as a separate security domain and use dedicated hardware toenforce security between the libraries. However, the number of softwarelibraries existing on the same device may be large and so the amount ofdedicated hardware resource for maintaining each library as a separatedomain can be expensive in terms of circuit area and power consumption.

To address these problems, the present technique provides a hybridapproach using dedicated security protection hardware and librarymanagement software. The security protection hardware controls callsbetween a less secure domain and a secure domain. When calling betweendomains, the security protection hardware can perform a first securityprotection operation, which may include various measures for ensuringthat less secure code cannot access secure data or secure code withoutpermission. On the other hand, switching between different softwarelibraries within a domain is controlled using library managementsoftware executed by the processing circuitry itself. The librarymanagements software selects at least one of the software libraries asan active library and at least one other software library as an inactivesoftware library. Software libraries which are designated as inactiveare not executable by the processing circuitry, and security criticalresources associated with that library are not accessible to the activelibrary. If the processing circuitry attempts to call to an inactivesoftware library, then the library management software controls theprocessing circuitry to switch which library is active so that therequired library becomes active and the previously active librarybecomes inactive. Hence, the library management software effectivelyvirtualizes the security protection protocols between different softwarelibraries so that the system behaves as if the processing circuitry hasmany protection domains each corresponding to different protectedlibraries, while from the hardware point of view there are fewer domainswith one software library being selected as an active library at a time.

This approach is faster than a fully software-implemented approach,because the dedicated security protection hardware allows function callsto be made directly to an active software library in the other domainwithout invoking software on the processing circuitry. Repeated calls tothe same active library do not invoke the library management software,and any security precautions associated with calling between the lesssecure domain and the secure domain can be controlled quickly inhardware with little interruption to the processing being performed bythe processing circuitry. The performance overhead of switching betweenlibraries using the library management software is only encountered whenan inactive library is required. In practice, this does not happen oftenin comparison to calls to an already active library, and so the overallperformance is close to that achieved by a fully hardware implementedapproach, but with less hardware overhead.

Each software library may include both instructions and data associatedwith that library. For example, a library may represent a particularapplication such as a banking or virtual payment application.

When the processing circuitry calls to an inactive software library,then the library management software may control the processingcircuitry to perform a second security protection operation. If thissecond security protection operation is unsuccessful then an error canbe triggered, while if it is successful then the active libraryswitching may be performed to make the target library active. Hence, inaddition to the first security protection operation performed inhardware if there is a cross-domain call, an additional layer ofsecurity protection may be provided by the library management software.The second security protection operation may be performed even if thereis no cross-domain call which is monitored by the security protectionhardware. For example, a software library may only allow anothersoftware library to branch to certain points of the library code, and ifanother software library attempts to branch to a location in the librarywhich is not at a valid entry point then an error can be triggered bythe library management software. Also, only certain libraries may betrusted to branch to a given library, with an error being triggered ifthe library management software detects a non-trusted library callingthe library.

To maintain security, it may be desirable for the library managementsoftware to select one library as the active library and to select theother libraries as an inactive library, so that one library is active ata time and securely controlled library switching is required in orderfor libraries to interact with each other.

On the other hand, it may be preferred to maintain multiple activelibraries and the other libraries as inactive. For example, it may onlybe necessary to protect some libraries from intrusion and otherlibraries may not need to be protected. In this case, some librariescould be made permanently active. Also, there may be a set of librarieswhich are trusted to interact with each other, and so when one of theselibraries is active the other libraries are also made active. Also,there may be different subsets of libraries, and within each subset oflibraries one active library can be selected with the other libraries inthe subset being inactive. Also, as the security protection hardware canenforce security between the secure domain and the less secure domain,it is possible to designate one active library in the secure domain andone active library in the less secure domain, which still cannot accesseach other without permission due to the protection provided by thehardware. Therefore, there are a number of reasons why it might bedesirable to set multiple libraries as active simultaneously. Ingeneral, the library management software may ensure that an inactivelibrary is prevented from being accessed inappropriately by an activelibrary.

While the present technique can be used in the less secure domain, it ismost useful in the secure domain which will typically be used forsoftware libraries which are likely to process sensitive information.Therefore, in one example the managed software libraries may be securesoftware libraries in the secure domain, with the library managementsoftware not managing any libraries in the less secure domain.Alternatively, separate secure and less secure library managers may beprovided for handling switching between libraries in the secure domainand less secure domain respectively.

A memory protection unit (MPU) may be used to control which librariesare active or inactive. The MPU can be used to designate regions of thedata store as accessible or inaccessible, with accesses to inaccessibleregions triggering a fault condition. Hence, the active libraryswitching by the library management software may include updating theaccess permissions in the MPU to indicate different regions asaccessible or inaccessible. If an inactive library is accessed, thecorresponding memory region is indicated as inaccessible in the MPU, andso the MPU may generate a fault which can trigger the library managementsoftware to perform the active library switching.

The active library switching may also include updating a stack pointerin a stack pointer storage location to correspond to the newly activelibrary. A stack may be provided in the data store for at least some ofthe software libraries. When active, the library can use the stack tostore temporary data. Not all libraries need to have stacks allocated inthe data store, since stacks can be allocated dynamically as librariesare switched from the inactive state to the active state. Each allocatedstack has a corresponding stack pointer which identifies its location inmemory. The exact location indicated by the stack pointer may vary. Forexample, the stack pointer may indicate the location of the last datavalue placed on the stack, or the location to which the next data valueplaced on the stack should be written. By updating the MPU and stackpointer when switching from one library to another, the newly activelibrary cannot access the stack associated with the previously activelibrary, which may be sensitive data. If multiple libraries are allowedto be active simultaneously, then multiple stack pointer registers maybe provided. For example, there may be a secure stack pointer storagelocation and a less secure stack pointer storage location which storestack pointers for the currently active secure library and less securelibrary respectively.

The security protection hardware may have a security protection unitwhich stores security data defining secure and less secure regions ofthe data store associated with the secure domain and less secure domainrespectively. The current domain of operation of the processingcircuitry may be selected based on whether the instruction currentlybeing processed is in the secure region or the less secure region of thedata store. Typically code that is located in the secure region wouldexecute the secure domain while code located in the less secure regionwould execute in the less secure domain, although there may be someexceptions. When a branch instruction attempts to branch from a locationassociated with one of the secure and less secure domains to a locationassociated with the other domain, then the first security protectionoperation may be performed by the security protection hardware.

The first security protection operation may include several differentmeasures for preventing inappropriate access to secure information. Somemeasures may only be required when calling from the secure domain to theless secure domain, or vice versa.

For example, the first security protection operation may includechecking whether a first instruction to be executed following aprotected change of program flow is an allowed target instruction forthat change of program flow. This can be particularly useful when theprotected change of program flow is a branch to an instruction to beexecuted in the secure domain. It can be dangerous to allow branches tojump to the middle of a secure function because this may allow securityprecautions such as a password check provided earlier on in the securefunction to be circumvented. To prevent this, a predeterminedinstruction (e.g. a special guard instruction) may be designated as anallowed target instruction for the change of program flow, and theallowed instruction may be included in the secure code to mark theallowed function entry points. Following a protected change of programflow (e.g. a branch to an instruction in the secure region), thesecurity protection hardware can check whether the first instruction tobe executed following the call is the allowed target instruction. Ifnot, then a security fault can be triggered.

Also, the first security protection operation may include protection offunction return addresses following a protected function call. Forexample, if a function is called from code in the secure domain andtargets code in the less secure domain, then it would be undesirable toallow the code in the less secure domain to access the return address ofthe function. If the less secure function were able to modify the returnaddress then it would be able to affect the program flow of the securecode, which could lead to security protections being circumvented byjumping into the middle of secure functions. To prevent this, thehardware may take steps to hide the function of return address from theinstructions executed after the function call. For example, the returnaddress may be stored to a stack associated with the secure code whichcalled the function, which cannot be accessed by the code in the lesssecure domain.

The first security protection operation may also include checkingwhether, following a change of program flow, the domain to whichprocessing has been switched is an allowed domain specified for thatchange of program flow. There are certain security attacks in which lesssecure code can cause a branch instruction in the secure domain which isexpected to branch to the less secure domain to instead branch to alocation in the secure domain, allowing less secure code to makeuncontrolled changes of program flow in the secure domain. To preventthis, at least one allowed domain may be specified for certain changesof program flow, and following the change of program flow the hardwaremay check whether the destination domain matches the allowed domain. Thefirst security protection operation may also include security checks andoperations other than those described above.

The security protection hardware provides measures for ensuring securitywhen calling between the less secure domain and the secure domain.However, these measures may also be desired when calling betweendifferent software libraries within the same domain. This can beachieved in different ways. In one example, when calling betweenlibraries in the same domain, the processing circuitry may temporarilyswitch to the other domain before switching back again to the originaldomain. The temporary switch of domains makes the library call appear asa call between the secure domain and the less secure domain even thoughboth libraries are actually in the same domain, and so triggers thehardware to perform the first security protection operation so that thesame security measures performed when calling between domains can alsobe used when calling between libraries in the same domain.

For example, to invoke the security protection hardware when callingbetween libraries in the same domain, the active library may execute abranch instruction which specifies a target address of a location withinthe target inactive library together with an indication that the systemshould switch to the other domain when carrying out the branch. Thiscauses the system to switch to the other domain for a period beforeswitching back when it is determined that the target location isactually associated with the original domain. This approach has theadvantage that the security measures for the switch of libraries areperformed quickly in hardware.

Alternatively, the system may remain in the current domain when callingbetween two libraries in the same domain and the library managementsoftware may perform the first security protection operation. Anyoperations which would normally be performed by the security protectionhardware when calling between different domains can be performed insteadby the library management software executing on the processingcircuitry. This avoids the need for a special mechanism for temporarilyswitching between domains as in the previous example, and ensures thatoperands passed between the libraries do not become accessible to theless secure domain.

As mentioned above, part of the first security protection operationprovided by the security protection hardware may be hiding the functionreturn address from subsequent software following a function call. Thismay also be performed by the library management software when there is aswitch between libraries in the same domain. This need not be performedfor all function calls—it may be enough to hide the function returnaddress only for certain protected function calls. One way of achievingthis is to store the function return address to a stack associated withthe active software library before switching from that library.

This approach is in contrast to the usual method of storing a functionreturn address to a link register which is accessible to all libraries.A dummy function return address can be stored to the link registerinstead. The dummy function return address does not correspond to avalid instruction address, which indicates that when a function returnis made to the dummy address, the security protection hardware shouldread the actual function return address from the stack associated withthe active software library and then trigger the function return to theactual function return address.

However, after storing the actual function return address to the stack,there may then be a switch to another software library which may causethe stack pointer to be swapped. Therefore, when returning from thefunction call, the stack storing the function return address may not beaccessible anymore. To address this problem, after a protected functioncall has been made, the library management software may set informationto indicate that there has been a switch to another software library. Onthe corresponding function return, the library management software maycheck the information to see if there has been a library switch, and ifso may perform active library switching back to the original library sothat the function return address can be accessed from the stack.

The information set to indicate that there has been a switch of activelibraries may have various forms. For example, this information may bean invalid return address which does not correspond to a validinstruction address (e.g. a different invalid address to the dummyreturn address stored to the link register by the hardware). Forexample, the invalid return address may be stored to a stack of theother software library to which processing is switched after theprotected function call has been made. The use of the invalid returnaddress by the other software library causes a fault, which may be usedto trigger the library management software to perform active libraryswitching back to the original library.

Also, the library management software may maintain status informationindicating which of the software libraries made the protected functioncall. On returning from the protected function call, if the libraryindicated by the status information is currently inactive, then thelibrary management software can switch to the library indicated by thestatus information. This allows the system to determine the stack fromwhich the return address should be obtained. If there are only twolibraries managed by the library management software then the statusinformation may not be essential.

The status information can be stored when making the protected functioncall, or could be stored later when switching to a different activelibrary. In one example, the status information may indicate at least apartial history of functions that were called so that later on it ispossible to backtrack to identify the library which called originalfunction. However, monitoring the function call tree may be complex asthere could be many nested functions which are processed beforereturning the original function call, it may be simpler to store anindication of the original caller library without tracking all thesubsequent processing of functions. One way of doing this is to storethe status information to a stack associated with the other softwarelibrary.

If the status information is stored to a location which is accessible byanother software library, then the other library may be able to modifythe status information, which could cause unpredictable and insecureoperations. To prevent this, the library management software may controlthe processing circuitry to store verification information to the stackof the library which made the protection function call. Thisverification information can be used on a function return to check thatthe status information has not been modified. For example, theverification information may comprise an indication of which library isthe other library whose stack stores the status information. If thestatus information is modified by the software then the function returnmay no longer return to the original caller library and the library towhich processing is switched instead may not have the correctverification information, allowing the modification to be detected andan error to be raised.

While a secure domain and a less secure domain are discussed above, theapparatus may also have further domains, with the security protectionhardware controlling transitions between domains. Hence, the securedomain and less secure domain mentioned above may be two of a greaternumber of domains. There may be an active library in each of thedomains, so that there can be multiple active libraries simultaneously.

Viewed from another aspect, the present invention provides a dataprocessing apparatus comprising:

processing means for performing data processing in response toinstructions, the processing means having a plurality of domains ofoperation including a secure domain and a less secure domain, wherein atleast some data accessible to the instructions when operating in thesecure domain is inaccessible when operating in the less secure domain;

security protection hardware means for performing a first securityprotection operation in response to the processing means calling betweenthe less secure domain and the secure domain; and

storing means for storing a plurality of software libraries and librarymanagement software for execution by the processing means; wherein:

the library management software is configured to control the processingmeans to set at least one of the plurality of software libraries as anactive software library which is executable by the processing means, andto set at least one other software library as an inactive softwarelibrary which is not executable by the processing means; and

in response to the processing means calling a target inactive softwarelibrary, the library management software is configured to perform activelibrary switching to control the processing means to set the targetinactive software library as an active software library and to set apreviously active software library as an inactive software library.

Viewed from another aspect, the present invention provides a method ofdata processing for an apparatus comprising processing circuitry havinga plurality of domains of operation including a secure domain and a lesssecure domain, wherein at least some data accessible to the instructionswhen operating in the secure domain is inaccessible when operating inthe less secure domain, and a data store storing a plurality of softwarelibraries and library management software for execution by theprocessing circuitry; the method comprising:

under control of the library management software, the processingcircuitry setting at least one of the plurality of software libraries asan active software library which is executable by the processingcircuitry and setting at least one other software library as an inactivesoftware library which is not executable by the processing circuitry;

in response to the processing circuitry calling between the less securedomain and the secure domain, the security protection hardwareperforming a first security protection operation; and

in response to the processing circuitry calling a target inactivesoftware library, the library management software performing activelibrary switching to control the processing circuitry to set the targetinactive software library as an active software library and to set apreviously active software library as an inactive software library.

The above, and other objects, features and advantages of this inventionwill be apparent from the following detailed description of illustrativeembodiments which is to be read in connection with the accompanyingdrawings.

BRIEF DESCRIPTION OF THE DRAWINGS

The above, and other objects, features and advantages of this inventionwill be apparent from the following detailed description of illustrativeembodiments which is to be read in connection with the accompanyingdrawings, in which:

FIG. 1 illustrates a data processing apparatus having securityprotection hardware;

FIG. 2 illustrates a software technique for maintaining security betweensoftware libraries;

FIG. 3 illustrates a hardware technique for maintaining security betweensoftware libraries;

FIG. 4 illustrates a hybrid technique using software to partitiondifferent software libraries in the secure domain and hardware toseparate the secure domain from the less secure domain;

FIG. 5 illustrates an example of an address space having a secure regionand a less secure region;

FIG. 6 illustrates a first example of switching between different securelibraries in the secure domain;

FIG. 7 illustrates a second example of switching between differentsecure libraries in the secure domain;

FIG. 8 illustrates a security protection method;

FIG. 9 illustrates a method of performing active library switching inresponse to a memory protection fault;

FIG. 10 illustrates an example of nested function calls;

FIG. 11 illustrates an example technique for protecting a functionreturn address when performing the function calls shown in FIG. 10; and

FIG. 12 illustrates an example in which the secure domain and lesssecure domain each have library management software for controllingswitching between libraries in that domain.

DESCRIPTION OF EXAMPLE EMBODIMENTS

FIG. 1 schematically illustrates a data processing apparatus 2comprising processing circuitry 4, a data store 6 and registers 8. Thedata store 6 may include at least one cache as well as a memory. Theprocessing circuitry 4 comprises a processing pipeline which includes afetch stage 10 for fetching instructions from the data store 6, a decodestage 12 for decoding the fetched instructions, and an execute stage 14for executing the decoded instructions. It will be appreciated that thepipeline may include other stages, for example a register renaming stageor issue stage.

The registers 8 include several general purpose registers R₀ to R₁₂ forstoring data on behalf of the processing circuitry 4. While FIG. 1 shows13 general purpose registers R₀ to R₁₂, other numbers of registers maybe provided, and optionally floating point registers for storingfloating point values could also be provided. The registers 8 alsoinclude some special purpose registers including a program counter (PC)register 20, a link register (LR) 22 and stack pointer (SP) registers24, 26. The program counter register 20 stores a program counterindicating the address of the next program instruction to be executed bythe processing circuitry 4. Generally, following execution of aninstruction the program counter will be updated to indicate the nextinstruction from memory. However in response to a control flow alteringinstruction the program counter can be set to a value which does notfollow sequentially from the previous value. The link register 22 maystore a return value used when returning from a function or an exceptionto determine which program instruction should be processed followingcompletion of the function or exception. The stack point registers 24,26 store secure and less secure stack pointers respectively, which pointto a secure stack 30 and less secure stack 32 in the data store 6. Forexample, the stack pointers can indicate the location of the last itemplaced on the stack 30, 32, or can indicate the next location to which adata value placed on the stack 30, 32 should be written.

Security protection hardware 40 is provided to enforce separationbetween a secure domain and a less secure domain. The securityprotection hardware has a security protection unit 42 which storesprotection data defining, for each region of the data store 6, whetherthe region is a secure region or a less secure region. FIG. 1 shows anexample in which the data store 6 has one secure region 44 and a lesssecure region 46, but in practice the data store 6 may include severalregions of each type. Code 46 located within the secure region 44 of thedata store 6 is executed by the processing circuitry 4 in the securedomain while code 48 located within the less secure region 46 isexecuted in the less secure domain. When in the less secure domain, theprocessing circuitry 4 cannot access data or instructions stored in thesecure region 44. Transitions between the less secure domain and thesecure domain are controlled by the security protection hardware 40 toensure that only certain allowed transitions are accepted.

The data processing apparatus 2 comprises a secure memory protectionunit (MPU) 50 and a less secure MPU 52 for defining access permissionsfor the secure and less secure regions 44, 46 of the data store 6respectively. The access permissions control whether sub-regions of thesecure and less secure regions 44, 46 are accessible or inaccessible.The regions defined by the secure MPU 50 and less secure MPU 52 mayoverlap. For example, the secure MPU 50 and less secure MPU 52 maydefine different attributes for the same memory region.

FIG. 2 shows a software technique for maintaining separation betweendifferent software libraries 55. Different software libraries 55 may beprovided by different, mutually distrustful, software vendors, and soaccess by one library 55 to data or code associated with another library55 may need to be prevented. A real time operating system 58 or trustmanager may be provided to manage switches between the softwarelibraries 55. When one library seeks to access data or code associatedwith another library that is defined as protected by the operatingsystem 58, MPU hardware may check whether this is allowed and if not maytrigger a fault. In such an implementation, the security protectionhardware 40 of FIG. 1 is not provided. When switching libraries,processing on the processing circuitry 4 needs to be interrupted so thata security handler in the operating system 58 can be executed. Thisreduces processing performance of the processing circuitry 4 and so thistechnique is slow compared to hardware techniques.

On the other hand, FIG. 3 shows an example of a hardware technique forseparating different domains. In this case, the security protectionhardware 40 maintains the boundary 70 between a less secure domain and asecure domain and each software library 60 has its own domain. As thesecurity of transitions between the domain is controlled by thehardware, the transitions between libraries are fast and it is notnecessary to invoke a software handler. However, it is difficult withthe hardware implementation of FIG. 3 to maintain a large number ofdifferent, mutually protected, software libraries, because the amount ofdata stored in the security protection unit 42 becomes very large, andso in practice this limits the number of different domains that can besupported.

To address these issues, FIG. 4 shows a hybrid hardware/softwaretechnique which enables many mutually distrusted software libraries tobe maintained in a more hardware efficient way than the technique shownin FIG. 3 but with greater performance than the approach shown in FIG.2. The security protection hardware 40 provides security protection formaintaining the boundary 70 between the less secure domain 80 and securedomain 90. Multiple secure software libraries 100 are executed in thesecure domain, and are protected from accessing each other using thesecure MPU 50 and library management software 110 which is also executedin the secure domain. The library management software 110 managestransitions between the different secure libraries 100. The librarymanagement software 110 selects one or more libraries 100 as an activelibrary and selects other libraries as inactive. For example, in FIG. 4the secure library 0 is set as the active library and the otherlibraries 1 to N are inactive. The active and inactive libraries can beselected by setting the MPU permissions in the secure MPU 50 so that aregion corresponding to an active library is accessible and a regioncorresponding to an inactive library is inaccessible. Libraryconfiguration data 112 is used by the library management software 100 todetermine the access permissions to be written to the secure MPU 50 whencertain libraries are active.

When a function call 120 is made from software in the less secure domain80 to an active library then the security protection hardware 40performs security checking operations. Since the security checking isperformed in hardware, it is fast and the function call 120 can be madedirectly to the secure library 100 without other software routineshaving to be performed first by the processing circuitry 4.

On the other hand, if a function call 130 is made from code in the lesssecure domain 80 to an inactive library 100 in the secure domain 90,then a memory protection fault will be triggered by the secure MPU 50because the region corresponding to the inactive library is currentlyset as inaccessible. A memory manage exception 140 is triggered by thisfault and this invokes a fault handler 150 in the library manager 110which causes the active library to be switched so that now the librarytargeted by function call 130 (library 1 in this example) becomes theactive library while the previously active library (library 0 in thisexample) becomes inactive. The fault handler 150 switches theconfiguration of the secure MPU 50 based on the library configurationdata 112 so that subsequent function calls to the newly active librarywill be allowed and function calls to the old library which is nowinactive will now trigger a fault. Also, the fault handler 150 changesthe stack pointer in the secure stack pointer register 24 to indicate astack in the data store 6 associated with the newly active libraryinstead of a stack associated with the previously active library. Thisensures that the new library can access the stack associated with it. Ifthe new library does not already have a stack, then a stack is allocatedin the secure region 44 of the data store 6. The library manager 110 canalso perform some software security checks to determine whether theswitch of libraries is permitted. Meanwhile, since the function call 130crossed the domain boundary 70, the hardware security measures are againprovided by security protection hardware 40 in a similar way to functioncall 120.

Therefore, the library manager 110 virtualizes different securelibraries 100 operating in the same hardware security domain so thatonly some libraries are active at a time and the active libraries areprevented from accessing inactive libraries, with calls to inactivelibraries being managed by the library manager 110 to ensure security.The overhead of changing the secure MPU 50 configuration using thelibrary manager 110 is only encountered when a call is made to aninactive library and subsequent calls to the same library do not cause afault 140 and have minimal overheads. This allows an almost unlimitednumber of protection domains corresponding different software libraries100 to be supported.

FIG. 5 shows an example of the memory address space of the data store 6.The address space bias a secure region 44 and a less secure region 46.While FIG. 5 shows one less secure region 44 and one secure region 46, agreater number of secure regions and less secure regions could beprovided. The security protection unit 42 stores data defining whichregions of the data store 6 are secure regions and which regions areless secure regions.

The secure region 44 includes one or more secure stacks 30 correspondingto at least some of the secure software libraries 100. It is notnecessary to provide stacks in the address space for all of the softwarelibraries 100. Instead, stack storage space can be allocated tolibraries 100 as the libraries become active. The secure region 34 alsocomprises unprivileged secure code 46 corresponding to the softwarelibraries 100 and privileged secure code 47 corresponding to the librarymanagement software 110. The secure MPU 50 controls which code and datais unprivileged or privileged.

Similarly, the less secure region 46 includes less secure code 48(including privileged and unprivileged code) for executing in the lesssecure domain 80, a less secure stack 32 used by the less secure code48, and less secure data 39. Less secure MPU 52 controls whether data orcode in the less secure region 46 is privileged or unprivileged.Typically, unprivileged code cannot access privileged data or code.

The memory address space also includes a reserved address range 150which does not correspond to any valid instruction address. Thisreserved range can be used for special functions, such as dummy returnaddresses as shall be described below. For example, the reserved addressrange 150 may comprise addresses in the range 0xF0000000 to 0xFFFFFFFF.

When crossing the boundary 70 between the less secure domain 80 andsecure domain 90, the security protection hardware 40 performs securityprotection operations, which may include at least one of the following:

-   -   The security protection hardware 40 may generate a fault if,        following a branch to the secure domain 90 from the less secure        domain 80, the instruction at the branch target address does not        contain a guard instruction representing a valid entry point        into the secure code. This prevents attacks where less secure        code attempts to branch to the middle of a secure function,        which can be dangerous because it could allow security checks        performed earlier in the function (e.g. password checks) to be        avoided, allowing secure operations to be carried out without        the proper security authorization.    -   When a branch is executed by a library in the secure domain 90        and causes a transition to the less secure domain, then the        return address is automatically pushed to the stack associated        with that library 100 and a reserved dummy value from the        reserved address range 150 is placed in the link register 22.        When a subsequent function return branches to the dummy value,        then this is detected by the security protection hardware 40,        which fetches the actual return address from the stack of the        secure library 100. This prevents a secure address being        accessible to non-secure code. This is described in more detail        below with respect to FIG. 11.    -   When a secure function is called from the less secure domain 80,        the function return address provided by public code can be        modified by the security protection hardware 40 to indicate that        processing will return to the less secure domain 80 when        returning from the function. For example, a target domain bit        can be set in the return address to indicate that the function        return should return to the less secure domain 80. When carrying        out the function return, it can be checked whether the function        return address actually corresponds to a location that is        callable from the domain indicated by the set target domain bit,        and if not, then a fault can be triggered. This prevents attacks        where a hacker modifies the function return address passed by        the less secure domain 80 to try to trigger an uncontrolled        transition from the secure domain to other secure code. This can        be dangerous because a secure-secure branch would not typically        be policed by the security protection hardware 40. By sanitizing        the function return address passed from the less secure domain        before the function return is carried out, such attacks can be        prevented.

Therefore, various security measures can be taken by the hardware 40.However, it may also be desirable to provide the same protection whenswitching between secure libraries 100 within the secure domain 90, asif these libraries are implemented in separate hardware protectiondomains. FIGS. 6 and 7 show different techniques for achieving this.

In FIG. 6, a function call from a first secure library 0 to a secondsecure library 1 causes a switch to the less secure domain 80 beforeswitching back to the second secure library 1 in the secure domain 90.By temporarily switching to the less secure domain 80, the call to thesecond secure library appears to the hardware 40 as if it is a switchfrom the less secure 80 to the secure domain 90, and so the hardwareprotection measures described above are performed by the securityprotection hardware 40 in the same way as would be the case if lesssecure code called the second secure library 1. The library manager 100checks that the call went via the less secure domain, but otherwise doesnot need to perform the security measures performed by the hardware 10.One way to trigger the temporary switch of domains is to set the targetdomain bit discussed above in the target address of the function call toindicate the less secure domain 80 while the actual target addresscorresponds to a location in the secure domain 90 corresponding tosecure library 1.

However, when switching to the less secure domain 80, any operands beingpassed between the two secure libraries may be visible to less securecode. An attacker may be able to trigger an interrupt when the processoris in the less secure domain 80, to gain access to any operands beingpassed via the stack or via registers. For some applications, this maynot matter. For some software applications, the software vendors mayrequire the security protection between libraries 100 to stopcompetitors cloning their software code, rather than to protect accessto data. For such applications, the technique shown in FIG. 6 may beacceptable and it may not matter whether data processed by the securelibraries is accessible in the less secure domain.

However, for other applications (e.g. banking) the data itself may besensitive and the less secure domain should be prevented from accessingoperands being passed between secure libraries. For such applications,the function call between different secure libraries 100 may take placeentirely in the secure domain, as shown in FIG. 7, and the librarymanager 110 may perform the security protection functions which wouldnormally be performed by the security protection hardware 40. Hence, thetransition between libraries is provided with the same protection as thetransition between the less secure domain and the secure domain, butwithout the hardware being invoked. While performing the securitymeasures in software is slower than using the hardware, this approachmaintains the security of any operands passed between the libraries.

For some systems, both of the techniques shown in FIGS. 6 and 7 may besupported. For a given function call between secure libraries, thelibrary manager 110 may detect whether the call went via the less securedomain 80. If so, it can be assumed that the hardware will perform thesecurity protection operations. If the call did not go via the lesssecure domain 80, then the library manager 110 performs the securityprotection operations, in other embodiments, only one or other of thetechniques shown in FIGS. 6 and 7 may be supported.

When performing a function call, conventional systems typically use thegeneral purpose registers 8 to pass arguments. If there is not enoughspace in the general purpose registers, then the stack can be used topass excess arguments. However, this approach cannot be used when onesecure library 100 calls another secure library 100 as shown in FIGS. 6and 7, because the respective libraries 100 have their own stacks 30 inthe data store 6 which are not accessible to other libraries 100. If thefunction arguments are not sensitive, then they can be passed betweenlibraries 100 by storing them to the less secure stack 32 which isaccessible by any of the secure libraries 100 in the secure domain 90.On the other hand, if sensitive data is passed between libraries thensoftware methods such as mailboxes provided by the library managementsoftware 110 can be used to ensure the security of the arguments.

FIG. 8 shows a method of performing security checks using the hardware40 and the secure and less secure MPUs 50, 52. At step 200 a branchoperation occurs to change program flow to an instruction at a targetaddress. At step 202, the security protection unit 42 and the securityprotection hardware 40 determine whether there is an access violation.An access violation is detected if the current domain of operation isthe less secure domain, the target address is in the secure region 44,and the instruction at the target address is not a guard instruction. Ifan access violation is detected, then the hardware 40 triggers asecurity fault at step 204. At step 205, the hardware 40 detects whetherthe branch crosses the boundary 70 between the less secure domain 80 andthe secure domain 90. If so, then at step 206 the security protectionhardware 40 performs the hardware security protection operationsdescribed above. If not, then step 206 is omitted.

At step 208, it is determined whether the branch target address is inthe secure domain 90 or the less secure domain 80 (based on which region44, 46 of the data store 6 includes the target address). If the targetaddress is in the secure domain 90, then at step 210 the secure MPU 50is active and checks its access permissions for a sub-region includingthe target address to detect whether there is a secure MPU 50 accessviolation. The violation may occur because the branch is to an inactivelibrary, or because unprivileged code is seeking to access a privilegedregion. If there is a secure MPU 50 access violation, then at step 212 asecure memory manage exception is triggered. On the other hand, if thetarget address is in the less secure domain 80 then at step 214 the lesssecure MPU 52 is active and determines whether there has been an accessviolation, and if so then at step 216 a less secure memory manageexception is triggered. If no access violation is detected, then at step220 the access associated with the branch instruction is carried out andprocessing continues.

The method similar to the one shown in FIG. 8 may also be performed fordata accesses specifying a target address. However, for data accesses,step 208 would detect the domain in which the processing circuitry 4 iscurrently operating (rather than the domain associated with the targetaddress), and the MPU corresponding to the current domain would then beused at step 210 or step 214.

FIG. 9 illustrates a method of handling the memory manage exceptiontriggered at steps 212 and 216 of FIG. 8. In the example of FIG. 4, thelibrary manager 110 manages multiple secure software libraries 100 inthe secure domain and this technique is not used in the less securedomain. In this case, the method of FIG. 9 would be performed only atstep 212 and not at step 216. However, as described below with respectto FIG. 12, it is possible for a similar library manager to be providedin the less secure domain 80, in which case the method of FIG. 9 canalso be performed for step 216.

At step 230, the library manager 110 looks up the library configurationdata 112, and at step 232 the library manager uses the libraryconfiguration data 112 to determine whether there is a change of activelibrary. This can be done in various ways. For example, the targetaddress may be checked against library configuration data 112 definingwhich MPU regions correspond to each library. However, this can takesome time. A quicker approach would be to restructure the library codeso that all valid entry points to a library are located within a small,fixed size, region of memory called a “trampoline” region, from which asubsequent branch can be made to the region of code which needs to beexecuted. By restricting the trampoline regions to which branches toinactive libraries can be made, less configuration data needs to bechecked, and so it is quicker to detect which library corresponds to agiven access. For example, if the trampoline regions associated witheach library 100 are of fixed size and adjacent to each other in theaddress space, then a library identifier could be calculated quicklyusing the following formula:

$\frac{\begin{matrix}{{{Branch}\mspace{14mu}{target}\mspace{14mu}{address}} -} \\{{Base}\mspace{14mu}{address}\mspace{14mu}{of}\mspace{14mu}{library}\mspace{14mu} 0\mspace{14mu}{trampoline}\mspace{14mu}{area}}\end{matrix}}{{Trampoline}\mspace{14mu}{area}\mspace{14mu}{size}}$

Even if the trampoline areas are not all the same size, but aremultiples of a fixed size the result of this formula may be used toindex into a smaller table to obtain the actual library identifier.Therefore, there are various ways in which the library manager 110 candetermine which library corresponds to the target address.

If the target address does not correspond to a change of library 232,then at step 234 fault handling is performed to handle the memoryprotection fault triggered at 212 or 216. Any known technique forhandling memory protection faults may be used. For example, processingmay be aborted to prevent access to privileged data by unprivilegedcode.

On the other hand, if at step 232 it is determined that the memorymanage exception has been caused by a change to an inactive library,then this is not as dangerous as other memory protection faults and canbe handled by the library manager 110. At step 234, the library manager110 switches the access permissions of the MPU 50 so that the regionscorresponding to a previously active library become inaccessible and theregions corresponding to the newly active library become accessible.From now on, accesses to the old library will trigger the memoryprotection fault while accesses to the new target library will not. Thelibrary configuration data 112 defines which regions should be set asaccessible or inaccessible when a particular library becomes active.

At step 235, the library manager 110 stores to the library configurationdata 112 the stack pointer of the previously active library which iscurrently stored in the stack pointer register 24. The stack pointer mayhave changed since that library was activated and so the stack pointerpreviously held in the library configuration data 112 may be out ofdate. By updating the stack pointer for the previously active library inthe library configuration data 112, when that library is activated againlater on it is possible to determine the location of the correspondingstack.

At step 236, the library manager 110 determines whether a stack 30 hasalready been allocated for the newly active library. If not then at step238 a stack for the newly active library is allocated in the data store6, while if a stack has already been allocated then step 238 is omitted.At step 240 the library manager 110 restores the stack pointer of thestack corresponding to the newly active library to the stack pointerregister 24. The new stack pointer is obtained from the libraryconfiguration data 112.

At step 242, the library manager 110 determines whether the securityprotection hardware 40 has already performed the security protection atstep 206. This is the case if the branch crossed the boundary 70 betweenthe less secure and the secure domains. If the hardware 40 has alreadyperformed the security protection operations then the memory manageexception returns and processing of the library continues at step 246.If the hardware 40 has not already performed the security protectionoperations, then they are performed in software by the library manager110 at step 248 before returning from the exception at step 246. Thelibrary manager 110 may also perform a second security protectionoperation regardless of whether the hardware has already performed thefirst security protection operation. For example, only certain librariesmay be allowed to make function calls to a particular library, andfunction calls from other libraries may be prevented from continuing.

FIG. 10 shows an example of nested function calls between less securecode 105 and two secure libraries 100-0, 100-1. A first function call(Call 1) is made from secure library 100-0 to the less secure code 105.A second function call (Call 2) then occurs from less secure code 105 tosecure library 100-1. After a function return (Ret 2) from the secondfunction call, a third function call (Call 3) occurs again targetingsecure library 100-1. Following a return (Ret 3) from the third functioncall, processing then returns (Ret 1) from less secure code 105 to thesecure library 100-0 which made the first function call (Call 1).

As discussed above, the security protection hardware 40 may hide thereturn address of Call 1 to prevent the less secure code 105 accessingthe return address. This can be done by storing the function returnaddress of Call 1 to the stack associated with the secure library 100-0and storing a dummy return address to the link register 22 to triggerthe hardware 40 to obtain the real function return address from thestack when performing the function return Ret 11. However, when Call 2is made to secure library 100-1 then the switch of libraries means thatthe library 100-0 is deactivated and so when the less secure code 105performs the function return Ret 1, the function return address is nolonger accessible.

To address this problem, the return address can be handled as shown inFIG. 11. Following Call 1, the actual return address 300 is placed on astack 305 associated with secure library 100-0 while a dummy address 310which does not correspond to a valid instruction address is placed inthe link register 22. This means that the less secure code 105processing the first function call can only see the dummy address andcannot see the secure return address 300.

When Call 2 is made from the less secure code 105 to the secure library100-1, the return address of Call 2 is stored in link register 22 (asCall 2 is made from less secure code 105, it is not necessary to maskthe return address and the actual return address can be stored to linkregister 22). Call 2 also causes the library manager 100 to perform aswitch of libraries and stores a verification value 320 to the stackframe of the stack 305 associated with library 100-0 that includes thereturn address 300. The verification value comprises an identifier ofthe library 100-1 which is now being activated. Whilst switching theactive library from library 100-0 to library 100-1 and switching thestack pointers in the secure stack pointer register 24, the librarymanager places a second dummy address 312 on the stack 315 associatedwith secure library 100-1. The library manager 110 uses a differentdummy address 312 to the dummy address 310 stored to the link register22 by the hardware, to indicate that on returning from Call 1 there willneed to be a switch of active libraries. The library manager 110 alsostores a status value 340 to the stack 315 of library 100-1. The statusvalue 340 indicates the previously active library 100-0, and thereforethe library to reactivate when processing return 1.

On returning from Call 2 (function return Ret 2), processing branches tothe address stored in the link register 22. Call 3 and its correspondingfunction return Ret 3 are handled in the same way as Call 2 and Ret 2,except that now secure library 1 is active no exceptions are generatedand no overhead associated with the library manager is encountered.

After Ret 3, the function return Ret 1 occurs, corresponding to theoriginal function call Call 1. The less secure code 105 branches to theoriginal dummy value 310 that was placed in the link register when Call1 was made. The hardware detects this branch to a reserved address andretrieves the return address from the currently active secure stack 315.As the address retrieved is actually the reserved non executable dummyaddress 312 previously placed on the stack by the library managementsoftware 110, a memory management exception is raised by the hardware.The library management software 110 handles this exception anddetermines that it needs to perform active library switching. Thelibrary management software 110 detects from the status information 340that library 100-0 should become active and that library 100-1 shouldnow become inactive. The library management software 110 checks theverification information 320 stored on the stack 305 of library 100-0,to ensure that the verification information 320 indicates the library100-1 is the library to be made inactive and the status information 340has not been modified. On the other hand, if the status value 340 hadbeen modified while on the stack 315 associated with the library 100-1,then a different library would be indicated as needing to be reactivatedwhose stack would not contain the verification value 320 in its returnaddress stack frame, and the absence of the correct verification value320 is detected by the library management software 110 which triggers afault.

Hence, the status value 340 and verification value 320 enable thelibrary manager 110 to determine which library to switch back tofollowing the called function and to verify that this has been carriedout correctly. Therefore, even when a switch of active libraries occurs,it is still possible to use the stacks to prevent less secure code 105accessing a secure return address.

Once the integrity of the status information 340 has been verified thelibrary manager software 110 can cause processing to resume at thereturn address 300 specified on the stack of library 0 305.

While FIG. 4 shows an example in which the library manager 110 enforcesprotection between several secure software libraries 100 in the securedomain 90, it is also possible to use this technique for the librariesin the less secure domain 80. FIG. 12 shows an example in which a lesssecure library manager 410 is provided which is similar to the securelibrary manager 110. The secure library manager 110 selects an activesecure library 100 and one or more inactive secure libraries 100, andthe less secure library manager 410 selects an active less securelibrary 400 and one or more inactive less secure libraries 400. Accesses420 to inactive libraries in either domain 80, 90 trigger thecorresponding library manager 110, 410 to perform library switching.Security protection operations are performed by the security protectionhardware 40 when an access 420 crosses the domain boundary 70. Whenswitching between libraries in the same domain, the hardware 40 can beinvoked by temporarily switching domains, or the corresponding librarymanager 110, 410 can perform the corresponding security protectionoperations, as shown in FIGS. 6 and 7. In this way, a large number ofsoftware libraries may be protected from each other in both the lesssecure domain 80 and the secure 90 with little hardware overhead.

Additional examples of security protection operations which may beperformed by the security protection hardware 40 are described incommonly-assigned UK patent applications 1220769.2 and 1217531.1 andU.S. patent application Ser. Nos. 13/368,419, 13/680,298 and 13/741,709,the contents of which are incorporated herein by reference.

Although illustrative embodiments of the invention have been describedin detail herein with reference to the accompanying drawings, it is tobe understood that the invention is not limited to those preciseembodiments, and that various changes and modifications may be effectedby those skilled in the art without departing from the scope and spiritof the invention as defined by the claims.

I claim:
 1. A data processing apparatus comprising: processing circuitryfor performing data processing in response to instructions, theprocessing circuitry having a plurality of domains of operationincluding a secure domain and a less secure domain, wherein at leastsome data accessible to the instructions when operating in the securedomain is inaccessible when operating in the less secure domain;security protection hardware configured to perform a first securityprotection operation in response to the processing circuitry callingbetween the less secure domain and the secure domain; and a data storeconfigured to store a plurality of software libraries and librarymanagement software for execution by the processing circuitry; wherein:the library management software is configured to control the processingcircuitry to set at least one of the plurality of software libraries asan active software library which is executable by the processingcircuitry, and to set at least one other software library as an inactivesoftware library which is not executable by the processing circuitry;and in response to the processing circuitry calling a target inactivesoftware library, the library management software is configured toperform active library switching to control the processing circuitry toset the target inactive software library as an active software libraryand to set a previously active software library as an inactive softwarelibrary.
 2. The data processing apparatus according to claim 1, whereinthe plurality of software libraries comprise a plurality of securesoftware libraries for executing in the secure domain.
 3. The dataprocessing apparatus according to claim 1, wherein in response to theprocessing circuitry calling the target inactive software library, thelibrary management software is configured to control said processingcircuitry to perform a second security protection operation and, if saidsecond security protection operation is successful, to perform theactive library switching.
 4. The data processing apparatus according toclaim 1, comprising a memory protection unit configured to store accesspermissions indicating whether regions of the data store are accessibleor inaccessible, wherein said memory protection unit is configured totrigger a fault condition in response to an instruction fetch or amemory access to an inaccessible region; wherein the active libraryswitching comprises controlling the processing circuitry to set theaccess permissions of the memory protection unit to indicate asaccessible at least one region of the data store corresponding to saidtarget inactive software library and to indicate as inaccessible atleast one region of the data store corresponding to said previouslyactive software library.
 5. The data processing apparatus according toclaim 4, wherein in response to the processing circuitry calling thetarget inactive software library, the memory protection unit isconfigured to detect from the access permissions that a regioncorresponding to the target inactive software library is inaccessible,and to trigger an exception for causing the library management softwareto perform the active library switching.
 6. The data processingapparatus according to claim 1, wherein the data store is configured tostore a stack for at least some of the plurality of software libraries;and the data processing apparatus comprises a stack pointer storagelocation configured to store a stack pointer corresponding to the stackfor the active software library.
 7. The data processing apparatusaccording to claim 6, wherein the active library switching comprisescontrolling the processing circuitry to update the stack pointer storagelocation to store a stack pointer corresponding to the stack for thetarget inactive software library.
 8. The data processing apparatusaccording to claim 6, wherein if the data store does not already store astack for the target inactive software library, then the active libraryswitching comprises allocating a stack in the data store for the targetinactive software library.
 9. The data processing apparatus according toclaim 1, wherein the security protection hardware comprises a securityprotection unit configured to store security data defining at least onesecure region of the data store associated with the secure domain and atleast one less secure region of the data store associated with the lesssecure domain; and the processing circuitry is configured to selectwhether to operate in the secure domain or the less secure domain independence on whether the instruction being processed is in a secureregion or a less secure region of the data store.
 10. The dataprocessing apparatus according to claim 1, wherein the first securityprotection operation comprises at least one of: (i) checking whether afirst instruction to be executed following a protected change of programflow is an allowed target instruction for the change of program flow;(ii) in response to a protected function call for triggering processingof a function, preventing instructions of the function from accessing afunction return address identifying the instruction to be processedafter the function has been processed; and (iii) checking whether theone of the secure domain and the less secure domain to which processingis switched in response to a protected change of program flow is anallowed domain specified for the change of program flow.
 11. The dataprocessing apparatus according to claim 1, wherein in response to theprocessing circuitry switching from an instruction of said activesoftware library executed in one of said secure domain and said lesssecure domain to an instruction of said target inactive software libraryto be executed in said one of said secure domain and said less securedomain, said processing circuitry is configured to temporarily switch tothe other of said secure domain and said less secure domain beforeswitching to said instruction of said target inactive software libraryin said one of said secure domain and said less secure domain.
 12. Thedata processing apparatus according to claim 1, wherein in response tothe processing circuitry switching from an instruction of said activesoftware library executed in one of said secure domain and said lesssecure domain to an instruction of said target inactive software libraryto be executed in said one of said secure domain and said less securedomain, said processing circuitry is configured to remain in said one ofsaid secure domain and said less secure domain and said librarymanagement software is configured to control said processing circuitryto perform said first security protection operation.
 13. The dataprocessing apparatus according to claim 1, wherein in response to theactive software library making a protected function call for calling afunction to be performed by other software, the first securityprotection operation comprises storing a function return address of saidfunction to a stack associated with said active software library. 14.The data processing apparatus according to claim 13, wherein in responseto the protected function call, the first security protection operationcomprises storing a dummy function return address to a link register,the dummy function return address comprising an address which does notcorrespond to a valid instruction address; and in response to a functionreturn to the dummy function return address, the security protectionhardware is configured to read the function return address from thestack associated with said active software library and trigger afunction return to said function return address.
 15. The data processingapparatus according to claim 1, wherein on performing active libraryswitching to another software library after a protected function callhas been made from the active software library, the library managementsoftware is configured to control the processing circuitry to setinformation to indicate that there has been a switch of active library;and on a function return corresponding to the protected function call,if the information is set to indicate that there has been a switch ofactive library, then the library management software is configured toperform the active library switching back to the active software librarywhich made the protected function call.
 16. The data processingapparatus according to claim 15, wherein said information comprises aninvalid return address which does not correspond to a valid instructionaddress; and the library management software is configured to performthe active library switching back to the active software library whichmade the protected function call in response to an exception triggeredby a function return to the invalid return address.
 17. The dataprocessing apparatus according to claim 15, wherein said information isstored to a stack of the other software library.
 18. The data processingapparatus according to claim 13, wherein in response to the protectedfunction call, the library management software is configured to controlthe processing circuitry to maintain status information indicating whichof the plurality of software libraries made the protected function call.19. The data processing apparatus according to claim 18, wherein if thesoftware library which made the protected function call is an inactivesoftware library after the processing of the function is complete, thenthe library management software is configured to perform the activelibrary switching to control the processing circuitry to set as theactive software library the software library which the statusinformation indicates made the function call.
 20. The data processingapparatus according to claim 18, wherein on performing active libraryswitching to another software library after said protected function calland before a function return corresponding to said protected functioncall, said library management software is configured to control saidprocessing circuitry to store said status information to a stackassociated with said other software library.
 21. The data processingapparatus according to claim 18, wherein in response to the protectedfunction call, the library management software is configured to controlthe processing circuitry to store verification information to said stackassociated with said active software library; and after processing ofthe function is complete, the library management software is configuredto control the processing circuitry to check the verificationinformation to detect whether the status information has been modified.22. A data processing apparatus comprising: processing means forperforming data processing in response to instructions, the processingmeans having a plurality of domains of operation including a securedomain and a less secure domain, wherein at least some data accessibleto the instructions when operating in the secure domain is inaccessiblewhen operating in the less secure domain; security protection hardwaremeans for performing a first security protection operation in responseto the processing means calling between the less secure domain and thesecure domain; and storing means for storing a plurality of softwarelibraries and library management software for execution by theprocessing means; wherein: the library management software is configuredto control the processing means to set at least one of the plurality ofsoftware libraries as an active software library which is executable bythe processing means, and to set at least one other software library asan inactive software library which is not executable by the processingmeans; and in response to the processing means calling a target inactivesoftware library, the library management software is configured toperform active library switching to control the processing means to setthe target inactive software library as an active software library andto set a previously active software library as an inactive softwarelibrary.
 23. A method of data processing for an apparatus comprisingprocessing circuitry having a plurality of domains of operationincluding a secure domain and a less secure domain, wherein at leastsome data accessible to the instructions when operating in the securedomain is inaccessible when operating in the less secure domain, and adata store storing a plurality of software libraries and librarymanagement software for execution by the processing circuitry; themethod comprising: under control of the library management software, theprocessing circuitry setting at least one of the plurality of softwarelibraries as an active software library which is executable by theprocessing circuitry and setting at least one other software library asan inactive software library which is not executable by the processingcircuitry; in response to the processing circuitry calling between theless secure domain and the secure domain, security protection hardwareperforming a first security protection operation; and in response to theprocessing circuitry calling a target inactive software library, thelibrary management software performing active library switching tocontrol the processing circuitry to set the target inactive softwarelibrary as the active software library and to set a previously activesoftware library as the inactive software library.